SEC Identity Theft Red Flags Rule Template

advertisement
Identity Theft Red Flags Rule Template
Important: If you choose to use this template as
a guide, you must adapt it to reflect your
individual firm. Without the analysis and
modification required to fit your firm’s situation,
your Identity Theft Prevention Program (ITPP)
will not comply with regulatory requirements.
This template is an optional guide for firms to assist them in fulfilling their requirements
under Securities and Exchange Commission (“SEC”) Regulation S-ID: Identity Theft
Red Flags (“Red Flags Rule”), which requires specified firms to create a written Identity
Theft Prevention Program (“ITPP”) designed to identify, detect and respond to “red
flags”—patterns, practices or specific activities—that could indicate identity theft.
Identity theft is a fraud committed or attempted using the identifying information of
another person without authority.
Background
On January 1, 2011, the Federal Trade Commission (“FTC”) began enforcing its Fair and
Accurate Credit Transactions Act of 2003 Red Flags Rule (“FACT Act Red Flags Rule”),
which required that each “financial institution” or “creditor”—which includes most
securities firms—implement a written program to detect, prevent and mitigate identity
theft in connection with the opening or maintenance of “covered accounts.” On July 21,
2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act amended the
Fair Credit Reporting Act (“FCRA”) to transfer responsibility to the SEC and CFTC for
rulemaking and enforcement of identity theft red flag rules and guidelines for the firms
they regulate. On April 19, 2013, the SEC and CFTC published their joint final Identity
Theft Red Flags Rules and guidelines with a compliance date of November 20, 2013. The
SEC and CFTC rules and guidelines do not contain requirements that were not already in
the FTC’s FACT Act Red Flags Rule and do not expand the scope of that rule to include
new categories of entities that the rule did not already cover. They do, however, contain
examples and minor language changes designed to help guide entities within the SEC's
and CFTC’s enforcement authority in complying with the rule, which may lead some
entities that had not previously complied with the rule to determine that they fall within
the scope of the rules that the SEC and CFTC adopted. An earlier version of this template
assisted firms in complying with the FACT Act Red Flags Rule. It has been updated to
align with the SEC and CFTC joint final rules and guidance.
Template Use
The obligation to develop a written Red Flags Rule ITPP is not a “one-size-fits-all”
requirement, so you must customize this template to fit your particular firm’s
situation. If any of the language does not adequately address your firm’s business
situation, you will need to prepare your own language. You are responsible for ensuring
that the program fits your firm’s business and that you implement the program. The
language in this template is designed to be a starting point and to walk you through
developing your firm’s ITPP. Following this template does not guarantee compliance, or
1
create any safe harbor, with FINRA, SEC, CFTC or FTC rules or regulations, the federal
securities laws or state laws.

TEXT EXAMPLES are provided in this template to give you sample language that
you can modify to create your firm’s ITPP.

Material in italics provides instructions, the relevant rules and other resources that
you can use to develop your firm’s plan; you will likely want to delete this
material—and the introductory material that is boxed in the first pages of this
document (i.e., the material up to “[Firm Name]”)—from your final ITPP.
Red Flags Rule Coverage and Periodic Review
The SEC’s Red Flags Rule applies to SEC-regulated entities that qualify as “financial
institutions” or “creditors” under FCRA and requires those financial institutions and
creditors that maintain “covered accounts” to adopt identity theft programs.
SEC-regulated entities that are likely to qualify as financial institutions or creditors and
maintain covered accounts include most registered brokers, dealers and investment
companies, and some registered investment advisers. If your firm is a financial institution
or a creditor that offers or maintains covered accounts, it must develop and implement a
written ITPP that is designed to detect, prevent and mitigate identity theft in connection
with the opening of a covered account or any existing covered account and which must
be appropriate to the size and complexity of the financial institution or creditor and the
nature and scope of its activities. FINRA believes that most member firms will be
required to prepare an ITPP under the Red Flags Rule. Even if it does not have to prepare
an ITPP now, your firm must have internal controls to periodically review its operations,
and prepare an ITPP if it later becomes a financial institution or a creditor that offers or
maintains covered accounts.
Rule: 17 Code of Federal Regulations (C.F.R.) § 248.201(d)(1).
Definitions
Financial Institution. Your firm is a “financial institution” if it provides, either directly or
indirectly through your clearing firm, consumer “transaction accounts,” which are
deposits or accounts that allow depositors or account holders to make withdrawals by
negotiable or transferable instrument, payment orders of withdrawal, telephone transfers,
or other similar items (e.g., debit or credit cards) for the purpose of making payments or
transfers to third persons or others. Since “consumer” is defined as an individual, a firm
without individuals as clients would not be a financial institution under this definition.
Creditor. Your firm is a “creditor” if it regularly extends, renews or continues credit or
arranges for its extension, renewal or continuation. A firm that is not a financial
institution because it has only institutional customers can still be a creditor if it extends
credit, or arranges to extend credit, for any of its customers.
Covered Accounts. If your firm is either a financial institution or a creditor, you must
analyze whether it maintains or offers “covered accounts,” which are any accounts that
2
(1) are primarily for personal, family, or household purposes that involve or are designed
to permit multiple payments or transactions (such as brokerage accounts or accounts
maintained by a mutual fund (or its agent) that permit wire transfers or other payments to
third parties, and (2) involve a reasonably foreseeable risk from identity theft to
customers or the safety and soundness of your firm, including financial, operational,
compliance, reputation or litigation risks.
Rule: 17 C.F.R. § 248.201(b).
_____________________
Program Elements
The four program elements for an ITPP specified in the Red Flags Rule require your firm
to have reasonable policies and procedures to:
(1) Identify relevant red flags for the covered accounts that the firm offers or maintains,
and incorporate those red flags into its ITPP;
(2) Detect red flags that have been incorporated into the firm’s ITPP;
(3) Respond appropriately to any red flags that are detected to prevent and mitigate
identity theft; and
(4) Update the ITPP (including the red flags determined to be relevant) periodically to
reflect changes in risks to customers and to the safety and soundness of the firm from
identity theft.
Rule: 17 C.F.R. § 248.201(d)(2) and Appendix A, Sections I through V.
_____________________
Program Administration
To provide for the continued administration of your ITPP, your firm must:
(1) Get approval of the initial written ITPP from the firm’s board of directors, an
appropriate committee of it, or, if there is no board, a designated member of senior
management;
(2) Involve the board, board committee or the designated member of senior management
in the oversight, development, implementation and administration of the ITPP;
(3) Train staff to implement the ITPP; and
(4) Oversee service provider arrangements.
Rules: 17 C.F.R. § 248.201(e) and Appendix A, Section VI. See also 78 FR 23638, 23646
(April 19, 2013) (SEC and CFTC Identity Theft Red Flags Rule; Final Rule Release)
(the final rules require that a financial institution or creditor obtain approval of the
initial written program from either its board of directors, an appropriate committee of
the board of directors, or if the entity does not have a board, from a designated senior
management employee).
_____________________
Resources
3
SEC




SEC and CFTC Identity Theft Red Flags Rule; Final Rule Release, 78 FR 23638
(April 19, 2013)
PART 248—REGULATIONS S-P, S-AM, AND S-ID
SEC Identity Theft Red Flags Rule: A Small Firm Compliance Guide
SEC Staff Responses to Questions about Regulation S-P
FINRA
 Customer Information Protection Webpage (providing information about firms'
obligations to protect customer account information and links to resources to help
firms meet those obligations)

FINRA Regulatory Notice 07-36 - FINRA Clarifies Guidance Relating to SEC
Regulation S-P (Special Considerations When Supervising Recommendations of
Newly Associated Registered Representatives to Replace Mutual Funds and
Variable Products)

NASD Notice to Members 05-49 - NASD Reminds Members of Their
Obligations Relating to the Protection of Customer Information
Historical and Related Guidance

FINRA Regulatory Notice 08-69 - Alert to Member Firms About the Federal
Trade Commission’s FACT Act Regulations and the Announcement of the FTC’s
Decision to Delay Enforcement of the Red Flags Rule until May 1, 2009

FTC’s Fighting Fraud with the Red Flags Rule: A How-To Guide for Business

Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate
Credit Transactions Act of 2003, Final Rule, Federal Trade Commission and the
Federal Financial Institution Regulatory Agencies (FTC Red Flags Rule)

FTC’s Complying with the Red Flags Rule: Do-It-Yourself Program for
Businesses at Low Risk For Identity Theft

FTC Identity Theft Site

Guidance on Authentication in Internet Banking Environment- Federal Financial
Institutions Examination Council's (FFIEC)

Supplement to Authentication in an Internet Banking Environment (FFIEC)

National Institute of Standards and Technology (NIST) Electronic Authentication
Guidelines

Treasury Final Rule Regarding Broker/Dealer Customer Identification Programs
(05/09/03) (under Anti-Money Laundering (AML) Rules and Regulations on
FINRA’s AML Web page)
4
[Firm Name]
Identity Theft Prevention Program (ITPP) under the
Red Flags Rule
I.
Firm Policy
State your firm’s objectives for your ITPP.
TEXT EXAMPLE: Our firm’s policy is to protect our customers and their accounts from
identity theft and to comply with the SEC’s Red Flags Rule. We will do this by
developing and implementing this written ITPP, which is appropriate to our size and
complexity, as well as the nature and scope of our activities. This ITPP addresses (1)
identifying relevant identity theft red flags for our firm, (2) detecting those red flags, (3)
responding appropriately to any that are detected to prevent and mitigate identity theft,
and (4) updating our ITPP periodically to reflect changes in risks.
Our identity theft policies, procedures and internal controls will be reviewed and updated
periodically to ensure they account for changes both in regulations and in our business.
Rule: 17 C.F.R. § 248.201(d)(1) and Appendix A, Section I.
II.
ITPP Approval and Administration
State who is responsible for initial approval of this ITPP, which should be your board of
directors or an appropriate board committee; or, if you have no board, a designated
member of senior management. State who is responsible for the oversight, development,
implementation and administration of the ITPP, which may be a designated member of
senior management, your board or a board committee.
TEXT EXAMPLE: The firm’s Board of Directors, or the [Name] Committee of the Board,
or [Name, title], a member of senior management, approved this initial ITPP. [Name,
title], a member of senior management, is the designated identity theft officer and is
responsible for the oversight, development, implementation and administration (including
staff training and oversight of third party service providers of ITTP services) of this
ITPP.
Rule: 17 C.F.R. § 248.201(e) and Appendix A, Section VI(a).
III.
Relationship to Other Firm Programs
Describe how this ITPP relates to your firm’s other programs to protect customer data,
such as the data safekeeping and disposal procedures under Regulation S-P, your
5
Customer Identification Program and red flags detection under your AML Compliance
Program.
TEXT EXAMPLE: We have reviewed other policies, procedures and plans required by
regulations regarding the protection of our customer information, including our policies
and procedures under Regulation S-P, [and] our Customer Identification Program (“CIP”)
and red flags detection under our AML Compliance Program [and list any others] in the
formulation of this ITPP, and modified either them or this ITPP to minimize
inconsistencies and duplicative efforts.
Rule: Appendix A, Section I.
IV.
Identifying Relevant Red Flags
To identify relevant identity theft red flags, your firm must assess certain risk factors and
sources, as well as the categories and examples listed in Supplement A to Appendix A of
the SEC’s Red Flags Rule (See Resources, above). This consideration forms the basis for
modifying the attached Red Flag Identification and Detection Grid to cover your firm’s
situation and experience.
TEXT EXAMPLE: To identify relevant identity theft Red Flags, our firm assessed these
risk factors: (1) the types of covered accounts it offers, (2) the methods it provides to
open or access these accounts, and (3) previous experience with identity theft. Our firm
also considered the sources of red flags, including identity theft incidents our firm has
experienced, changing identity theft techniques our firm thinks likely, and applicable
supervisory guidance. In addition, we considered red flags from the following five
categories (and the 25 numbered examples under them) from Supplement A to Appendix
A of the SEC’s Red Flags Rule, as they fit our situation: (1) alerts, notifications or
warnings from a credit reporting agency; (2) suspicious documents; (3) suspicious
personal identifying information; (4) suspicious account activity; and (5) notices from
other sources. We understand that some of these categories and examples may not be
relevant to our firm and some may be relevant only when combined or considered with
other indicators of identity theft. We also understand that the examples are not exhaustive
or a mandatory checklist, but a way to help our firm think through relevant red flags in
the context of our business. Based on this review of the risk factors, sources, and
examples of red flags, we have identified our firm’s red flags, which are contained in the
first column of the attached “Red Flag Identification and Detection Grid” (“Grid”).
Rule: 17 C.F.R. § 248.201(d)(2)(i) and Appendix A, Section II.
V.
Detecting Red Flags
Your firm’s ITPP must address how, in connection with opening and maintaining its
covered accounts, it will detect the red flags it identified in Part IV above and set out in
the first column of the attached Grid. For opening covered accounts, that can include
getting identifying information about and verifying the identity of the person opening the
account by using your CIP. For existing covered accounts, it can include authenticating
6
customers, monitoring transactions, and verifying the validity of changes of address.
How your firm will detect each of its identified red flags is to be set out in the second
column of the attached Grid.
TEXT EXAMPLE: We have reviewed our covered accounts, how we open and maintain
them, and how to detect red flags that may have occurred in them. Our detection of those
red flags is based on our methods of getting information about applicants and verifying it
under our CIP of our AML compliance procedures, authenticating customers who access
the accounts, and monitoring transactions and change of address requests. For opening
covered accounts, that can include getting identifying information about and verifying the
identity of the person opening the account by using the firm’s CIP. For existing covered
accounts, it can include authenticating customers, monitoring transactions, and verifying
the validity of changes of address. Based on this review, we have included in the second
column (“Detecting the Red Flag”) of the attached Grid how we will detect each of our
firm’s identified red flags.
Rule: 17 C.F.R. § 248.201(d)(2)(ii) and Appendix A, Section III.
VI.
Preventing and Mitigating Identity Theft
Your firm’s ITPP must provide responses to its detected red flags that match the risk
involved.
TEXT EXAMPLE: We have reviewed our covered accounts, how we open and allow
access to them, and our previous experience with identity theft, as well as new methods
of identity theft we have seen or foresee as likely. Based on this and our review of the
Red Flags Rule and its suggested responses to mitigate identity theft, as well as other
sources, we have developed our procedures below to respond to detected identity theft
red flags.
Procedures to Prevent and Mitigate Identity Theft
When we have been notified of a red flag or our detection procedures show evidence of a
red flag, we will take the steps outlined below, as appropriate to the type and seriousness
of the threat:
Applicants. For red flags raised by someone applying for an account:
1. Review the application. We will review the applicant’s information collected for
our CIP under our AML Compliance Program (e.g., name, date of birth, address,
and an identification number such as a Social Security Number or Taxpayer
Identification Number).
2. Get government identification. If the applicant is applying in person, we will also
check a current government-issued identification card, such as a driver’s license
or passport. If the applicant is submitting an electronic application via our
website, we will use [describe your Internet authentication methods; under
Resources, above, see the Guidance on Authentication in an Internet Banking
7
3.
4.
5.
6.
Environment-Federal Financial Institutions Examination Council's (FFIEC),its
Supplement, and the NIST Electronic Authentication Guidelines].
Seek additional verification. If the potential risk of identity theft indicated by the
red flag is probable or large in impact, we may also verify the person’s identity
through non-documentary CIP methods, including:
a. Contacting the customer,
b. Independently verifying the customer’s information by comparing it with
information from a credit reporting agency, public database or other
source such as a data broker [or] the Social Security Number Death Master
File [or list other sources],
c. Checking references with other affiliated financial institutions, or
d. Obtaining a financial statement.
Deny the application. If we find that the applicant is using an identity other than
his or her own, we will deny the account.
Report. If we find that the applicant is using an identity other than his or her own,
we will report it to appropriate local and state law enforcement; where organized
or widespread crime is suspected, the FBI or Secret Service; and if mail is
involved, the US Postal Inspector. We may also, as recommended by FINRA’s
Customer Information Protection web page’s “Firm Checklist for Compromised
Accounts,” report it to our FINRA coordinator; the SEC; state regulatory
authorities, such as the state securities commission; and our clearing firm.
Notification. If we determine personally identifiable information has been
accessed, we will prepare any specific notice to customers or other required notice
under state law. [Note: See National Conference of State Legislators’ listing of
state notification requirements. (This site may not be updated or comprehensive.
Each firm is responsible to research all applicable state requirements. State and
local laws and regulations are not uniform. All broker-dealers must have policies
and procedures reasonably designed to prevent and detect violations of the laws
and regulations of the jurisdictions in which they operate.)]
Access seekers. For red flags raised by someone seeking to access an existing customer’s
account:
1. Watch. We will monitor, limit, or temporarily suspend activity in the account
until the situation is resolved.
2. Check with the customer. We will contact the customer using our CIP information
for them, describe what we have found and verify with them that there has been
an attempt at identify theft.
3. Heightened risk. We will determine if there is a particular reason that makes it
easier for an intruder to seek access, such as a customer’s lost wallet, mail theft, a
data security incident, or the customer’s giving account information to an
imposter pretending to represent the firm or to a fraudulent website.
4. Check similar accounts. We will review similar accounts the firm has to see if
there have been attempts to access them without authorization.
5. Collect incident information. For a serious threat of unauthorized account access
we may, as recommended by FINRA’s Customer Information Protection web
page’s “Firm Checklist for Compromised Accounts,” collect if available:
8
6.
7.
8.
9.
a. Firm information (both introducing and clearing firms):
i. Firm name and CRD number
ii. Firm contact name and telephone number
b. Dates and times of activity
c. Securities involved (name and symbol)
d. Details of trades or unexecuted orders
e. Details of any wire transfer activity
f. Customer accounts affected by the activity, including name and account
number, and
g. Whether the customer will be reimbursed and by whom.
Report. If we find unauthorized account access, we will report it to appropriate
local and state law enforcement; where organized or wide spread crime is
suspected, the FBI or Secret Service; and if mail is involved, the US Postal
Inspector. We may also, as recommended by FINRA’s Customer Information
Protection web page’s “Firm Checklist for Compromised Accounts,” report it to
our FINRA coordinator; the SEC; State regulatory authorities, such as the state
securities commission; and our clearing firm.
Notification. If we determine personally identifiable information has been
accessed that results in a foreseeable risk for identity theft, we will prepare any
specific notice to customers or other required notice under state law. [see note at
6, under “Applicants” above]
Review our insurance policy. Since insurance policies may require timely notice
or prior consent for any settlement, we will review our insurance policy to ensure
that our response to a data breach does not limit or eliminate our insurance
coverage.
Assist the customer. We will work with our customers to minimize the impact of
identity theft by taking the following actions, as applicable:
a. Offering to change the password, security codes or other ways to access
the threatened account;
b. Offering to close the account;
c. Offering to reopen the account with a new account number;
d. Not collecting on the account or selling it to a debt collector; and
e. Instructing the customer to go to the FTC Identity Theft Website to learn
what steps to take to recover from identity theft, including filing a
complaint using its online complaint form, calling the FTC’s Identity
Theft Hotline 1-877-ID-THEFT (438-4338), TTY 1-866-653-4261, or
writing to Identity Theft Clearinghouse, FTC, 6000 Pennsylvania Avenue,
NW, Washington, DC 20580.
Rule: 17 C.F.R. § 248.201(d)(2)(iii) and Appendix A, Section IV.
VII. Clearing Firm and Other Service Providers
If your firm uses a clearing firm or other service providers in connection with its covered
accounts, it must ensure that the providers comply with reasonable policies and
procedures designed to detect, prevent and mitigate the risk of identity theft.
9
TEXT EXAMPLE: Our firm uses a clearing firm [and other service providers] in
connection with our covered accounts. We have a process to confirm that our clearing
firm and any other service provider that performs activities in connection with our
covered accounts, especially other service providers that are not otherwise regulated,
comply with reasonable policies and procedures designed to detect, prevent and mitigate
identity theft. We will require our service providers by contract to have such policies and
procedures and either report the red flags that may arise in the performance of the service
providers’ activities to us [or take appropriate steps of their own to prevent or mitigate
the identify theft or both]. Our clearing firm is [name, address, phone number, e-mail
address, website] and our contact person at that clearing firm is [name, phone number, email]. Our other service providers that perform activities in connection with our covered
accounts are: [list service provider’s name, address and phone number, and e-mail
address.]
Rule: 17 C.F.R. § 248.201(e)(4) and Appendix A, Section VI(c).
VIII. Internal Compliance Reporting
Describe how your firm’s staff will report your ITPP’s compliance with the regulations.
TEXT EXAMPLE: Our firm’s staff who are responsible for developing, implementing and
administering our ITPP will report at least annually to our [Board or committee or
designated member of senior management] on compliance with the Red Flags Rule. The
report will address the effectiveness of our ITPP in addressing the risk of identity theft in
connection with covered account openings, existing accounts, service provider
arrangements, significant incidents involving identity theft and management’s response
and recommendations for material changes to our ITPP.
Rule: Appendix A, Section VI(b).
IX.
Updates and Annual Review
Describe your firm’s update policy and annual review of your ITPP.
TEXT EXAMPLE: Our firm will update this plan whenever we have a material change to
our operations, structure, business or location or to those of our clearing firm, or when we
experience either a material identity theft from a covered account, or a series of related
material identity thefts from one or more covered accounts. Our firm will also follow new
ways that identities can be compromised and evaluate the risk they pose for our firm. In
addition, our firm will review this ITPP annually, on [date], to modify it for any changes
in our operations, structure, business, or location or substantive changes to our
relationship with our clearing firm.
Rule: 17 C.F.R. § 248.201(d)(2)(iv) and Appendix A, Sections V and VI.
10
X.
Approval
Approve the firm’s ITPP by signing below.
TEXT EXAMPLE: I approve this ITPP as reasonably designed to enable our firm to
detect, prevent and mitigate identity theft.
Rule: 17 C.F.R. § 248.201(e)(1)&(2) and Appendix A, Section VI.
Signed:
_______________________________
Title:
_______________________________
Date:
_______________________________
ATTACHMENT: Red Flag Identification and Detection Grid (Grid)
11
[FIRM NAME]
Red Flag Identification and Detection Grid
This grid provides Red Flags Rule categories and examples of potential red flags. Please
note these examples are neither an exhaustive nor a mandatory checklist, but a way to
help your firm think through relevant red flags in the context of its business. Some
examples may not be relevant to your firm, while others may be relevant when combined
or considered with other indicators of identity theft. Modify the cells in the table below as
described in the Red Flags Template Section IV, Identifying Relevant Red Flags, and
Section V, Detecting Red Flags. If any categories and examples under them do not apply
to your firm, delete the rows containing them. Likewise, add rows for any not on the list
that you need to add based on your risk factor and sources assessment. For example, if
your firm does not use consumer reports, delete the portion of the grid titled “Category:
Alerts, Notifications or Warnings from a Consumer Reporting Agency” and the rows of
red flag examples 1 – 4 under it.
TEXT EXAMPLE:
Red Flag
Detecting the Red Flag
Category: Alerts, Notifications or Warnings from a Consumer Reporting Agency
1. A fraud or active duty alert is included
We will verify that the fraud or active duty alert
on a consumer report.
covers an applicant or customer and review the
allegations in the alert. [In addition, describe any
other steps your firm takes].
2. A consumer reporting agency provides a We will verify that the credit freeze covers an
notice of credit freeze in response to a
applicant or customer and review the freeze. [In
request for a consumer report.
addition, describe any other steps your firm takes].
3. A consumer reporting agency provides a We will verify that the notice of address or other
notice of address discrepancy.
discrepancy covers an applicant or customer and
review the address discrepancy. [In addition, describe
any other steps your firm takes].
4. A consumer report shows a pattern of
We will verify that the consumer report covers an
activity that is inconsistent with an
applicant or customer, and review the degree of
applicant’s or customer’s activity history,
inconsistency with prior history. [In addition,
such as a recent and significant increase in describe any other steps your firm takes].
the volume of inquiries; an unusual number
of recently established credit relationships;
a material change in the use of credit,
especially with respect to recently
established credit relationships; or an
account closed for cause or for abuse of
account privileges.
Insert other red flags in this category
Insert how your firm would detect these red flags you
based on your firm’s own experience or its have identified.
knowledge of likely new methods of identity
theft.
Category: Suspicious Documents
5. Identification documents look altered
Our staff who deals with customers and their
12
or forged.
6. The identification presenter does not
look like the identification’s photograph or
physical description.
7. Other information on the identification
differs from what the identification
presenter is saying.
8. Other information on the identification
does not match other information our firm
has on file for the presenter, like the
original account application, signature card
or a recent check.
9. The application looks like it has been
altered, forged or torn up and reassembled.
supervisors will scrutinize identification presented in
person to make sure it is not altered or forged. [In
addition, describe any other steps your firm takes].
Our staff who deals with customers and their
supervisors will ensure that the photograph and the
physical description on the identification match the
person presenting it. [In addition, describe any other
steps your firm takes].
Our staff who deals with customers and their
supervisors will ensure that the identification and the
statements of the person presenting it are consistent.
[In addition, describe any other steps your firm
takes].
Our staff who deals with customers and their
supervisors will ensure that the identification
presented and other information we have on file from
the account, such as [describe the information] are
consistent. [In addition, describe any other steps your
firm takes].
Our staff who deals with customers and their
supervisors will scrutinize each application to make
sure it is not altered, forged, or torn up and
reassembled. [In addition, describe any other steps
your firm takes].
Insert how your firm would detect these red flags you
have identified.
Insert other red flags in this category
based on your firm’s own experience or its
knowledge of likely new methods of identity
theft.
Category: Suspicious Personal Identifying Information
10. Inconsistencies exist between the
Our staff will check personal identifying information
personal identifying information presented presented to us to ensure that the SSN given has been
and other things we know about the
issued but is not listed on the SSA’s Master Death
presenter or can find out by checking
File. If we receive a consumer report, they will check
readily available external sources, such as
to see if the addresses on the application and the
an address that does not match a consumer consumer report match. [In addition, describe any
report, or the Social Security Number
other steps your firm takes].
(SSN) has not been issued or is listed on
the Social Security Administration's
(SSA’s) Death Master File.
11. Inconsistencies exist in the personal
Our staff will check personal identifying information
identifying information that the customer
presented to us to make sure that it is internally
gives us, such as a date of birth that does
consistent by comparing the date of birth to see that it
not fall within the number range on the
falls within the number range on the SSA’s issuance
SSA’s issuance tables.
tables [or describe other internal consistency tests
made].
12. Personal identifying information
Our staff will compare the information presented with
13
presented has been used on an account our
firm knows was fraudulent, such as the
address or phone number provided on the
application is the same as the address or
phone number on a fraudulent application.
13. Personal identifying information
presented is a type commonly associated
with fraud, such as an address that is
fictitious, a mail drop, or a prison; or a
phone number is invalid, or is for a pager
or answering service.
14. The SSN presented was used by
someone else opening an account or other
customers.
15. The address or telephone number
presented has been used or is similar to
those used by many other people opening
accounts or other customers.
16. The person opening the account or the
customer omits required personal
identifying information on an application
or in response to notification that the
application is incomplete.
17. Inconsistencies exist between the
personal identifying information that is
presented and what our firm has on file.
18. For firms that use challenge questions,
the person opening the account or the
customer cannot provide authenticating
information beyond what would be found
in a wallet or consumer report.
addresses and phone numbers on accounts or
applications we found or were reported were
fraudulent. [In addition, describe any other steps your
firm takes].
Our staff will validate the information presented
when opening an account by looking up addresses on
the Internet to ensure they are real and not for a mail
drop or a prison, and will call the phone numbers
given to ensure they are valid and not for pagers or
answering services. [In addition, describe any other
steps your firm takes].
Our staff will compare the SSNs presented to see if
they were given by others opening accounts or other
customers. [In addition, describe any other steps your
firm takes].
Our staff will compare address and telephone number
information to see if they were used by other
applicants and customers. [In addition, describe any
other steps your firm takes].
Our staff will track when applicants or customers
have not responded to requests for required
information and will follow up with the applicants or
customers to determine why they have not responded.
[In addition, describe any other steps your firm
takes].
Our staff will verify key items from the data
presented with information we have on file. [In
addition, describe any other steps your firm takes].
Our staff will authenticate identities for existing
customers by asking challenge questions that have
been prearranged with the customer and for
applicants or customers by asking questions that
require information beyond what is readily available
from a wallet or a consumer report. [In addition,
describe any other steps your firm takes].
Insert how you would detect these red flags you have
identified.
Insert other red flags in this category
based on your firm’s own experience or its
knowledge of likely new methods of identity
theft.
Category: Unusual Use of, or Suspicious Activity Related to, the Covered Account
19. Soon after we get a change of address
We will verify change of address requests by sending
request for an account, we receive a
a notice of the change to both the new and old
request for new or additional access means addresses so the customer will learn of any
(such as debit cards or checks) or
unauthorized changes and can notify us. [In addition,
authorized users for the account.
describe any other steps your firm takes].
14
20. An account develops new patterns of
activity, such as nonpayment inconsistent
with prior history; a material increase in
the use of available credit; or a material
change in spending patterns or electronic
fund transfers.
21. An account that is inactive for a long
time is suddenly used again.
22. Mail our firm sends to a customer is
returned repeatedly as undeliverable even
though the account remains active.
23. We learn that a customer is not getting
his or her paper account statements.
24. We are notified that there are
unauthorized charges or transactions to the
account.
We will review our accounts on at least a monthly
basis and check for suspicious new patterns of
activity such as nonpayment, a large increase in credit
use, or a big change in spending or electronic fund
transfers. [In addition, describe any other steps your
firm takes].
We will review our accounts on at least a monthly
basis to see if long inactive accounts become very
active. [In addition, describe any other steps your
firm takes].
We will note any returned mail for an account and
immediately check the account’s activity. [In
addition, describe any other steps your firm takes].
We will record on the account any report that the
customer is not receiving paper statements and
immediately investigate them. [In addition, describe
any other steps your firm takes].
We will verify if the notification is legitimate and
involves a firm account, and then investigate the
report. [In addition, describe any other steps your
firm takes].
Insert how you would detect these red flags you have
identified.
Insert other red flags in this category
based on your firm’s own experience or its
knowledge of likely new methods of identity
theft.
Category: Notice From Customers, Victims of Identity Theft, Law Enforcement Authorities,
or Other Persons Regarding Possible Identity Theft in Connection with Covered Account
25. We are told that an account has been
We will verify that the notification is legitimate and
opened or used fraudulently by a customer, involves a firm account, and then investigate the
an identity theft victim, or law
report. [In addition, describe any other steps your
enforcement.
firm takes].
We learn that unauthorized access to the
We will contact the customer to learn the details of
customer’s personal information took place the unauthorized access to determine if other steps are
or became likely due to data loss (e.g., loss warranted. [In addition, describe any other steps your
of wallet, birth certificate, or laptop),
firm takes].
leakage, or breach.
Insert other red flags in this category
Insert how your firm would detect these red flags you
based on your firm’s own experience or its have identified.
knowledge of likely new methods of identity
theft.
15
Download